/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
string principalIdStr = null;
if (principalId == Guid.Empty)
{
principalIdStr = ActiveDirectoryClient.GetAdfsObjectId(parameters.ADObjectFilter);
}
else
{
principalIdStr = principalId.ToString();
}
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string scope = parameters.Scope;
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId);
var createProperties = new RoleAssignmentProperties
{
PrincipalId = principalIdStr,
RoleDefinitionId = roleDefinitionId
};
var createParameters = new RoleAssignmentCreateParameters(createProperties);
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
return(assignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
string principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, string subscriptionId)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
: AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
{
assignment
};
return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string scope = parameters.Scope;
ValidateScope(scope);
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId);
#if !NETSTANDARD
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
#else
var createParameters = new RoleAssignmentProperties
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope,
roleAssignmentId.ToString(), createParameters);
#endif
return(assignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <param name="subscriptionId">Current subscription id</param>
/// <returns>The deleted role assignments</returns>
public IEnumerable <PSRoleAssignment> RemoveRoleAssignment(FilterRoleAssignmentsOptions options, string subscriptionId)
{
// Match role assignments at exact scope. Ideally, atmost 1 roleAssignment should match the criteria
// but an edge case can have multiple role assignments to the same role or multiple role assignments to different roles, with same name.
// The FilterRoleAssignments takes care of paging internally
IEnumerable <PSRoleAssignment> roleAssignments = FilterRoleAssignments(options, currentSubscription: subscriptionId)
.Where(ra => ra.Scope.TrimEnd('/').Equals(options.Scope.TrimEnd('/'), StringComparison.OrdinalIgnoreCase));
if (roleAssignments == null || !roleAssignments.Any())
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
else if (roleAssignments.Count() == 1)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignments.Single().RoleAssignmentId);
}
else
{
// All assignments are to the same roleDefinition Id.
if (roleAssignments.All(a => a.RoleDefinitionId == roleAssignments.First().RoleDefinitionId))
{
foreach (var assignment in roleAssignments)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(assignment.RoleAssignmentId);
}
}
else
{
// Assignments to different roleDefintion Ids. This can happen only if roleDefinition name was provided and multiple roles exists with same name.
throw new InvalidOperationException(string.Format(ProjectResources.MultipleRoleDefinitionsFoundWithSameName, options.RoleDefinitionName));
}
}
return(roleAssignments);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
};
AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
return(AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <returns>The deleted role assignments</returns>
public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
{
PSRoleAssignment roleAssignment = FilterRoleAssignments(options).FirstOrDefault();
if (roleAssignment != null)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
}
else
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
return(roleAssignment);
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <returns>The deleted role assignments</returns>
public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
{
// Match role assignments at exact scope. At most 1 roleAssignment should match the criteria
PSRoleAssignment roleAssignment = FilterRoleAssignments(options, currentSubscription: string.Empty)
.Where(ra => ra.Scope == options.Scope.TrimEnd('/'))
.FirstOrDefault();
if (roleAssignment != null)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
}
else
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
return(roleAssignment);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
var assigneeID = parameters.ADObjectFilter?.Id;
var assigneeObjectType = parameters.ADObjectFilter?.ObjectType;
if (string.IsNullOrWhiteSpace(assigneeObjectType) || string.IsNullOrWhiteSpace(assigneeID))
{
try
{
var assigneeObject = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);
assigneeID = assigneeID ?? assigneeObject?.Type;
assigneeObjectType = assigneeObjectType ?? assigneeObject?.Type;
}
catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException) when(!string.IsNullOrEmpty(assigneeID))
{
// If assigneeID is not null, swallow OdataErrorException
}
}
string principalId = assigneeID;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId,
PrincipalType = assigneeObjectType,
RoleDefinitionId = roleDefinitionId,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
return(AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId.ToString(), createParameters).ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
var asigneeID = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
string asigneeObjectType = parameters.ADObjectFilter?.ObjectType;
if (string.IsNullOrWhiteSpace(asigneeObjectType))
{
var asigneeObject = ActiveDirectoryClient.GetObjectsByObjectId(new List <string>()
{
asigneeID
}).SingleOrDefault();
asigneeObjectType = (!(asigneeObject is PSErrorHelperObject) && asigneeObject != null) ? asigneeObject.Type : null;
}
string principalId = asigneeID;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
PrincipalType = asigneeObjectType,
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
PSADObject asignee = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);
if (asignee == null)
{
throw new ArgumentException(ProjectResources.NoADObjectFound);
}
string principalId = asignee.Id;
string principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
PrincipalType = principalType,
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <returns>The filtered role assignments</returns>
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
if (options.ADObjectFilter.HasFilter)
{
// Filter first by principal
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? ActiveDirectoryClient.GetObjectId(options.ADObjectFilter) : Guid.Parse(options.ADObjectFilter.Id);
result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
result.AddRange(AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
}
else
{
result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
}
if (!string.IsNullOrEmpty(options.RoleDefinition))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinition, StringComparison.OrdinalIgnoreCase)).ToList();
}
return(result);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties {
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment;
IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
{
assignment
};
return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties {
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment;
IEnumerable<RoleAssignment> assignments = new List<RoleAssignment>() { assignment };
return assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault();
}
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
string assignedToPrincipalId = null;
string principalId = null;
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
assignedToPrincipalId = adObject.Id.ToString();
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id.ToString()) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(
new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink);
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(
options.Scope,
new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(
f => f.AtScope() && f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextPageLink);
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(
new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
}
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators
.List(AuthorizationManagementClient.ApiVersion).ToList();
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <returns>The deleted role assignments</returns>
public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
{
// Match role assignments at exact scope. At most 1 roleAssignment should match the criteria
PSRoleAssignment roleAssignment = FilterRoleAssignments(options, currentSubscription: string.Empty)
.Where(ra => ra.Scope == options.Scope.TrimEnd('/'))
.FirstOrDefault();
if (roleAssignment != null)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
}
else
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
return roleAssignment;
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, string subscriptionId)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
: AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
IEnumerable<RoleAssignment> assignments = new List<RoleAssignment>() { assignment };
return assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault();
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
#if !NETSTANDARD
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
List <RoleAssignment> roleAssignments = new List <RoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
parameters.AssignedToPrincipalId = adObject.Id;
}
else
{
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
// Filter out by scope
if (!string.IsNullOrWhiteSpace(options.Scope))
{
roleAssignments.RemoveAll(r => !options.Scope.StartsWith(r.Properties.Scope, StringComparison.InvariantCultureIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
// To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope
string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope;
result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId)
.ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals));
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <param name="subscriptionId">Current subscription id</param>
/// <returns>The deleted role assignments</returns>
public IEnumerable<PSRoleAssignment> RemoveRoleAssignment(FilterRoleAssignmentsOptions options, string subscriptionId)
{
// Match role assignments at exact scope. Ideally, atmost 1 roleAssignment should match the criteria
// but an edge case can have multiple role assignments to the same role or multiple role assignments to different roles, with same name.
// The FilterRoleAssignments takes care of paging internally
IEnumerable<PSRoleAssignment> roleAssignments = FilterRoleAssignments(options, currentSubscription: subscriptionId)
.Where(ra => ra.Scope == options.Scope.TrimEnd('/'));
if (roleAssignments == null || !roleAssignments.Any())
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
else if (roleAssignments.Count() == 1)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignments.Single().RoleAssignmentId);
}
else
{
// All assignments are to the same roleDefinition Id.
if (roleAssignments.All(a => a.RoleDefinitionId == roleAssignments.First().RoleDefinitionId))
{
foreach (var assignment in roleAssignments)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(assignment.RoleAssignmentId);
}
}
else
{
// Assignments to different roleDefintion Ids. This can happen only if roleDefinition name was provided and multiple roles exists with same name.
throw new InvalidOperationException(string.Format(ProjectResources.MultipleRoleDefinitionsFoundWithSameName, options.RoleDefinitionName));
}
}
return roleAssignments;
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
};
AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
return AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
}
public override void ExecuteCmdlet()
{
FilterRoleAssignmentsOptions parameters = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinition = RoleDefinitionName,
ADObjectFilter = new ADObjectFilterOptions
{
Mail = Mail,
UPN = UserPrincipalName,
SPN = ServicePrincipalName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = CurrentContext.Subscription.Id.ToString(),
}
};
WriteObject(PoliciesClient.CreateRoleAssignment(parameters));
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <returns>The filtered role assignments</returns>
public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options)
{
List<PSRoleAssignment> result = new List<PSRoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
if (options.ADObjectFilter.HasFilter)
{
// Filter first by principal
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? ActiveDirectoryClient.GetObjectId(options.ADObjectFilter) : Guid.Parse(options.ADObjectFilter.Id);
result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
result.AddRange(AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
}
else
{
result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
}
if (!string.IsNullOrEmpty(options.RoleDefinition))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinition, StringComparison.OrdinalIgnoreCase)).ToList();
}
return result;
}
public override void ExecuteCmdlet()
{
PSRoleAssignment roleAssignment = null;
FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinition = RoleDefinitionName,
ADObjectFilter = new ADObjectFilterOptions
{
Mail = Mail,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
UPN = UserPrincipalName,
SPN = ServicePrincipalName
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = Profile.Context.Subscription.Id.ToString()
}
};
ConfirmAction(
Force.IsPresent,
string.Format(ProjectResources.RemovingRoleAssignment,
options.ADObjectFilter.ActiveFilter,
options.Scope,
options.RoleDefinition),
ProjectResources.RemovingRoleAssignment,
null,
() => roleAssignment = PoliciesClient.RemoveRoleAssignment(options));
if (PassThru)
{
WriteObject(roleAssignment);
}
}
protected override void ProcessRecord()
{
PSRoleAssignment roleAssignment = null;
FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinition = RoleDefinitionName,
ADObjectFilter = new ADObjectFilterOptions
{
SignInName = SignInName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
SPN = ServicePrincipalName
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = DefaultProfile.Context.Subscription.Id.ToString()
},
ExcludeAssignmentsForDeletedPrincipals = false
};
ConfirmAction(
Force.IsPresent,
string.Format(ProjectResources.RemovingRoleAssignment,
options.ADObjectFilter.ActiveFilter,
options.Scope,
options.RoleDefinition),
ProjectResources.RemovingRoleAssignment,
null,
() => roleAssignment = PoliciesClient.RemoveRoleAssignment(options));
if (PassThru)
{
WriteObject(roleAssignment);
}
}
public override void ExecuteCmdlet()
{
FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinition = RoleDefinitionName,
ADObjectFilter = new ADObjectFilterOptions
{
Mail = Mail,
UPN = UserPrincipalName,
SPN = ServicePrincipalName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = string.IsNullOrEmpty(ResourceGroupName) ? null : Profile.Context.Subscription.Id.ToString()
}
};
WriteObject(PoliciesClient.FilterRoleAssignments(options), true);
}
protected override void ProcessRecord()
{
FilterRoleAssignmentsOptions parameters = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinition = RoleDefinitionName,
ADObjectFilter = new ADObjectFilterOptions
{
SignInName = SignInName,
SPN = ServicePrincipalName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = DefaultProfile.Context.Subscription.Id.ToString(),
}
};
WriteObject(PoliciesClient.CreateRoleAssignment(parameters));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(parameters.Scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, parameters.Scope).Id)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(parameters.Scope, parameters.RoleDefinitionId);
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
return assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
}
public override void ExecuteCmdlet()
{
IEnumerable<PSRoleAssignment> roleAssignments = null;
FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinitionName = RoleDefinitionName,
RoleDefinitionId = RoleDefinitionId == Guid.Empty ? null : RoleDefinitionId.ToString(),
ADObjectFilter = new ADObjectFilterOptions
{
UPN = SignInName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
SPN = ServicePrincipalName
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = DefaultProfile.Context.Subscription.Id.ToString()
},
ExcludeAssignmentsForDeletedPrincipals = false
};
ConfirmAction(
Force.IsPresent,
string.Format(ProjectResources.RemovingRoleAssignment,
options.ADObjectFilter.ActiveFilter,
options.Scope,
options.RoleDefinitionName ?? RoleDefinitionId.ToString()),
ProjectResources.RemovingRoleAssignment,
null,
() => roleAssignments = PoliciesClient.RemoveRoleAssignment(options, DefaultProfile.Context.Subscription.Id.ToString()));
if (PassThru)
{
WriteObject(roleAssignments, enumerateCollection: true);
}
}
/// <summary>
/// Deletes a role assignments based on the used options.
/// </summary>
/// <param name="options">The role assignment filtering options</param>
/// <returns>The deleted role assignments</returns>
public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
{
PSRoleAssignment roleAssignment = FilterRoleAssignments(options).FirstOrDefault();
if (roleAssignment != null)
{
AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
}
else
{
throw new KeyNotFoundException("The provided information does not map to a role assignment.");
}
return roleAssignment;
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription, ulong first = ulong.MaxValue, ulong skip = 0)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
string principalId = null;
PSADObject adObject = null;
Rest.Azure.OData.ODataQuery <RoleAssignmentFilter> odataQuery = null;
if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
principalId = adObject.Id.ToString();
odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.AssignedTo(principalId));
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId);
}
if (!string.IsNullOrEmpty(options.Scope))
{
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals));
}
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals));
}
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
var classicAdministratorsSubscription = currentSubscription;
if (options.Scope != null)
{
classicAdministratorsSubscription = AuthorizationHelper.GetResourceSubscription(options.Scope) ?? currentSubscription;
}
List <ClassicAdministrator> classicAdministrators = new List <ClassicAdministrator>();
if (currentSubscription != classicAdministratorsSubscription)
{
var client = AzureSession.Instance.ClientFactory.CreateArmClient <AuthorizationManagementClient>(AzureRmProfileProvider.Instance.Profile.DefaultContext, AzureEnvironment.Endpoint.ResourceManager);
client.SubscriptionId = classicAdministratorsSubscription;
classicAdministrators = client.ClassicAdministrators.List().ToList();
}
else
{
classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ToList();
}
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(classicAdministratorsSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List<PSRoleAssignment> result = new List<PSRoleAssignment>();
List<RoleAssignment> roleAssignments = new List<RoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
parameters.AssignedToPrincipalId = adObject.Id;
}
else
{
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.InvariantCultureIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
// To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope
string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope;
result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId)
.ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals));
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List<ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
List<PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase) ||
c.DisplayName.Equals(userObject.Mail, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return result;
}
protected override void ProcessRecord()
{
FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinitionName = RoleDefinitionName,
RoleDefinitionId = RoleDefinitionId == Guid.Empty ? null : RoleDefinitionId.ToString(),
ADObjectFilter = new ADObjectFilterOptions
{
SignInName = SignInName,
SPN = ServicePrincipalName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = string.IsNullOrEmpty(ResourceGroupName) ? null : DefaultProfile.Context.Subscription.Id.ToString()
},
ExpandPrincipalGroups = ExpandPrincipalGroups.IsPresent,
IncludeClassicAdministrators = IncludeClassicAdministrators.IsPresent,
ExcludeAssignmentsForDeletedPrincipals = true
};
WriteObject(PoliciesClient.FilterRoleAssignments(options, DefaultProfile.Context.Subscription.Id.ToString()), enumerateCollection: true);
}
public override void ExecuteCmdlet()
{
IEnumerable<PSRoleAssignment> roleAssignments = null;
FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
{
Scope = Scope,
RoleDefinitionName = RoleDefinitionName,
RoleDefinitionId = RoleDefinitionId == Guid.Empty ? null : RoleDefinitionId.ToString(),
ADObjectFilter = new ADObjectFilterOptions
{
UPN = SignInName,
Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
SPN = ServicePrincipalName
},
ResourceIdentifier = new ResourceIdentifier()
{
ParentResource = ParentResource,
ResourceGroupName = ResourceGroupName,
ResourceName = ResourceName,
ResourceType = ResourceType,
Subscription = DefaultProfile.Context.Subscription.Id.ToString()
},
ExcludeAssignmentsForDeletedPrincipals = false,
// we should never expand principal groups in the Delete scenario
ExpandPrincipalGroups = false,
// never include classic administrators in the Delete scenario
IncludeClassicAdministrators = false
};
ConfirmAction(
ProjectResources.RemovingRoleAssignment,
string.Empty,
() =>
{
roleAssignments = PoliciesClient.RemoveRoleAssignment(options,
DefaultProfile.Context.Subscription.Id.ToString());
if (PassThru)
{
WriteObject(roleAssignments, enumerateCollection: true);
}
});
}
